kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Update weave-network-policy.md (#4812) 

* Update weave-network-policy.md

add how to check if weave working correctly

* modify descrption and wors

* Update weave-network-policy.md

* Update weave-network-policy.md

* Update weave-network-policy.md

* Update weave-network-policy.md

* Update weave-network-policy.md

* Update weave-network-policy.md

* Update weave-network-policy.md

* Update weave-network-policy.md
pull/5932/merge
dengyi1996 2017-10-20 01:43:05 +08:00 committed by Zach Corleissen
parent 2b2fb7d84b
commit 1ed69650b6
1 changed files with 80 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
docs/tasks/administer-cluster/weave-network-policy.md
View File

@ -18,19 +18,15 @@ Complete steps 1, 2, and 3 of the [kubeadm getting started guide](/docs/getting-
{% capture steps %}
## Installing Weave Net addon
## Install the Weave Net addon
Follow the [Integrating Kubernetes via the Addon](https://www.weave.works/docs/net/latest/kube-addon/) guide.
The Weave Net Addon for Kubernetes comes with a [Network Policy Controller](https://www.weave.works/docs/net/latest/kube-addon/#npc) that automatically monitors Kubernetes for any NetworkPolicy annotations on all namespaces and configures `iptables` rules to allow or block traffic as directed by the policies.
{% endcapture %}
{% capture example %}
The Weave Net addon for Kubernetes comes with a [Network Policy Controller](https://www.weave.works/docs/net/latest/kube-addon/#npc) that automatically monitors Kubernetes for any NetworkPolicy annotations on all namespaces and configures `iptables` rules to allow or block traffic as directed by the policies.
## Namespace isolation example
1. Create a namespace with `DefaultDeny`.
1. Create a Namespace with `DefaultDeny`.
```yaml
kind: Namespace
@ -46,7 +42,7 @@ metadata:
}
```
2. Create 2 pods inside this namespace.
2. Create 2 Pods inside this Namespace.
```yaml
kind: Pod
@ -74,15 +70,15 @@ spec:
image: nginx
```
3. Get the IP addresses of the pods.
3. Get the IP addresses of the Pods.
```shell
kubectl get po -n myns -o wide
```
**Note:** If your cURL requests to pods are forbidden, try making cURL requests to other pods from within a pod.
**Note:** If your cURL requests to Pods are forbidden, try making cURL requests to other Pods from within a Pod.
{: .note}
4. Create a Kubernetes NetworkPolicy that allows pods within the same namespace to connect with each other.
4. Create a Kubernetes NetworkPolicy that allows Pods within the same Namespace to connect with each other.
```yaml
apiVersion: networking.k8s.io/v1
@ -103,8 +99,80 @@ spec:
**Caution:** After applying the network policy, pods outside the namespace you specify may be unable to connect with pods inside the namespace.
{. :caution}
{% endcapture %}
## Test the installation
1. Verify that the weave works.
Enter the following command:
```shell
kubectl get po -n kube-system -o wide
```
The output is similar to this:
```
NAME READY STATUS RESTARTS AGE IP NODE
weave-net-1t1qg 2/2 Running 0 9d 192.168.2.10 workndoe3
weave-net-231d7 2/2 Running 1 7d 10.2.0.17 worknodegpu
weave-net-7nmwt 2/2 Running 3 9d 192.168.2.131 masternode
weave-net-pmw8w 2/2 Running 0 9d 192.168.2.216 worknode2
```
Each Node has a weave Pod, and all Pods are `Running` and `2/2 READY`. (`2/2` means that each Pod has `weave` and `weave-npc`.)
2. Create a Network Policy.
For more information, see "[Declare Network Policy](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/)".
3. Check the logs.
After creating a NetworkPolicy, check the logs:
```shell
kubectl logs -f weave-net-pmw8w weave-npc -n kube-system
```
Log output looks like this:
```log
INFO: 2017/08/14 02:22:32.511992 EVENT AddNetworkPolicy {"metadata":{"name":"aaa","namespace":"myns","selfLink":"/apis/extensions/v1beta1/namespaces/myns/networkpolicies/aaa","uid":"67b229fd-8097-11e7-92f3-005056a3bc75","resourceVersion":"1507955","generation":1,"creationTimestamp":"2017-08-14T02:22:22Z"},"spec":{"podSelector":{"matchExpressions":[{"key":"inns","operator":"In","values":["yes"]}]},"ingress":[{"from":[{"podSelector":{"matchExpressions":[{"key":"inns","operator":"In","values":["yes"]}]}}]}]}}
INFO: 2017/08/14 02:22:32.512103 creating ipset: &npc.selectorSpec{key:"inns in (yes)", selector:labels.internalSelector{labels.Requirement{key:"inns", operator:"in", strValues:[]string{"yes"}}}, ipsetType:"hash:ip", ipsetName:"weave-[T]a=ETzaKA{o*muaFe:2IX(t"}
INFO: 2017/08/14 02:22:32.538003 adding rule: [-m set --match-set weave-[T]a=ETzaKA{o*muaFe:2IX(t src -m set --match-set weave-[T]a=ETzaKA{o*muaFe:2IX(t dst -j ACCEPT]
^[^C
```
4. Finally, check the logs for iptables.
```shell
iptables -L
```
The output is similar to this:
```iptables
Chain WEAVE-NPC (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere base-address.mcast.net/4
WEAVE-NPC-DEFAULT all -- anywhere anywhere state NEW
WEAVE-NPC-INGRESS all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere ! match-set weave-local-pods dst
Chain WEAVE-NPC-DEFAULT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere match-set weave-iuZcey(5DeXbzgRFs8Szo]+@p dst
ACCEPT all -- anywhere anywhere match-set weave-k?Z;25^M}|1s7P3|H9i;*;MhG dst
ACCEPT all -- anywhere anywhere match-set weave-4vtqMI+kx/2]jD%_c0S%thO%V dst
Chain WEAVE-NPC-INGRESS (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere match-set weave-[T]a=ETzaKA{o*muaFe:2IX(t src match-set weave-[T]a=ETzaKA{o*muaFe:2IX(t dst
```
The match-set labels have been applied to iptables, so the weave is working correctly.
{% endcapture %}
{% capture whatsnext %}